Bug 261326 (bugz_anti-spam_meta)

Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)

NEW
Unassigned

Status

()

14 years ago
2 years ago

People

(Reporter: bugzillamozilla, Unassigned)

Tracking

(Depends on: 4 bugs, {meta})

Details

(Reporter)

Description

14 years ago
Fixing Bug 120030 improved the situation significantly, but as spam spiders
improve, it may not be enough. This bug is for tracking other spam-prevention bugs:

Bug 215439 - "Provide alternate method for bugzilla users to contact each other,
prevent spam by not showing email addresses"
Bug 218917 - "Allow login_name != email_address, so address isn't displayed
(anti-spam effect too)"
Bug 219021 - "Email addresses should only be displayed to logged in users"
Bug 145499 - "Privacy for email addresses"

Not directly related to Bugzilla, but also worth listing:
Bug 184456 - "lxr.mozilla.org is a spammer's paradise"

Prog.

Updated

14 years ago
Keywords: meta
Summary: [meta] Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs) → Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)

Comment 1

14 years ago
meta bugs depend on bugs, not block them.
No longer blocks: 145499, 184456, 215439, 218917, 219021
Depends on: 145499, 184456, 215439, 218917, 219021
Reassigning bugs that I'm not actively working on to the default component owner
in order to try to make some sanity out of my personal buglist.  This doesn't
mean the bug isn't being dealt with, just that I'm not the one doing it.  If you
are dealing with this bug, please assign it to yourself.
Assignee: justdave → general
QA Contact: mattyt-bugzilla → default-qa

Comment 3

9 years ago
I just got spammed...  from what I believe was recently posting on Mozilla Bugzilla.

This looks like it is an issue that is several years old.  Any progress?

#1 - Remove all visible E-Mail addresses from Bugzilla & force all correspondence to go through the "web forms".
#2 - Strip E-Mail addresses from messages being sent from Bugzilla
#3 - Limit the number of "replies" that an ordinary account can do in a day...  Perhaps limit them to 10, with a review process to allow additional replies.
#4 - I'm not sure it would be necessary, but one could limit e-mail addresses to a very small group of active participants.
#5 - Another option for dealing with E-Mail addresses would be to allow the creation of "friends lists" which would be verified by both people, and allow sharing of personal contact info.
#6 - Many web sites have gone to requiring putting in graphic codes to log in, or to send e-mails.  They are a big pain, but can limit fraudulent access.

P.S.
I suppose I could volunteer to help, but I am a little "rusty" with my Javascript, and would need pretty broad system access.
This bug and dependants should get a LOT more attention!!!
More than 5 years later (and more for some dependent bugs), Bugzilla is still exposing personal email addresses to spammers with no way to change that harmful behaviour. I am getting more and more spam on my bugzilla (bmo) address. If I was a software developer looking for a bug tracking system, this bug alone would make me choose another product. It's a shame. Please do something about it, we really need complete email address privacy.
Severity: normal → critical
Depends on: 163551
Added to the list of dependent bugs (see comment 0):
Bug 163551 - Implement complete email address privacy
Alias: bugz_anti-spam_meta

Comment 6

9 years ago
(In reply to comment #4)

Leave the severity of this bug alone. Bugzilla 3.4 is much better at preventing spam as it now hides email addresses for logged out users. The fact that you don't like this bug doesn't allow you to change its severity.
Severity: critical → normal

Updated

9 years ago
Depends on: 536110

Comment 7

9 years ago
I think this bug is critical because it makes a security hole into the worlwide mail system.

Comment 8

8 years ago
(In reply to comment #6)
"Bugzilla 3.4 is much better at preventing spam as it now hides email addresses for logged out users."
Wrong ! If I were a spam harvester, I would create a bugzilla account, log in, make some simple comments to avoid detection of inactivity, read all the bugs in pseudo random order (to avoid detection) and harvest the email addresses...

Most of the forums have a register page in which I enter a pseudo, my email address (for administrative functions as notifications of new posts, lost password, etc.) and a password. On each post that I write there is my pseudo (not the email address) and a Personal Message button (PM in short) that the reader can push to send me an email without knowing my address. Spamming with the PM button is dangerous because if I complain to the administrator the offender account will be revoked ! The pseudo is unique on the forum site because an already in data base pseudo is not accepted at registration time. I have the same pseudo on practically all the forums sites : so it is not difficult to remember it...
 Why do you not copy this coding and reinvent the wheel with a dozen of linked bugs ?

Updated

6 years ago
No longer depends on: 184456

Comment 9

6 years ago
Slightly better :
-If I am not logged the source of " Jean-Marie COUPRIE 2011-04-12 06:33:00 PDT " does not include my email address. This is good !
-If I am logged the source of " Jean-Marie COUPRIE 2011-04-12 06:33:00 PDT " include my email address. This is very bad !
As stated in my previous post comment 8 a UN-detected logged spam harvester has access to my mail. By the way I have the knowledge needed to write a script that log to bugzilla and read a bug report obtain its source and extract the emails...
Also "CC List:" shows emails in clear text ! and can be extracted !

Updated

5 years ago
Depends on: 704753

Updated

5 years ago
Depends on: 934300
See Also: → bug 1306750
You need to log in before you can comment on or make changes to this bug.